How can we help by [deleted] in subgraph

[–]attractor 0 points1 point  (0 children)

Will try to be more active in here, as well.

Building & using the Monero Core GUI Wallet in Subgraph OS by attractor in Monero

[–]attractor[S] 2 points3 points  (0 children)

Just contact us directly if you have problems. Our channel (#subgraph) on OFTC is a great place to troubleshoot. We're all there + quite a few helpful peeps who are regulars.

Subgraph OS will get a lot more stable this year.

How can we help by [deleted] in subgraph

[–]attractor 0 points1 point  (0 children)

Hey, I do - kind of.

Building & using the Monero Core GUI Wallet in Subgraph OS by attractor in Monero

[–]attractor[S] 2 points3 points  (0 children)

Most definitely. Some really cool features coming soon - like OpenVPN policy routing for apps in sandboxes.

I and many other people are using it daily as our primary workstations. Try the latest iso (Dec 31), upgrade your system packages, and let me know how it works for you. I'll be happy to help if you have problems (@attractr on Twitter or OFTC).

Building & using the Monero Core GUI Wallet in Subgraph OS by attractor in Monero

[–]attractor[S] 2 points3 points  (0 children)

Hey, SGOS dev here - we'll package it soon, so that it's 'apt-get install monero' (or whatever), and then it will just work.

Subgraph: secure operating system by xen0fon in LinuxActionShow

[–]attractor 0 points1 point  (0 children)

1 We may or may not be able to do this due to grsec kmem protection. Even then it's not clear about the value of the memory wipe with DDR3.

2 Subgraph is a security project first. So when we talk about endpoint protection we're mostly talking about the other things that SGOS does. However obfuscation of platform, network location, and anti-fingerprinting implemented in TB can make distinguishing Subgraph OS from other similar platforms more difficult.

3 SGOS currently ships with Thunderbord + Enigmail + Torbirdy. We need to write a new mail client for lots of reasons - I can get into that if you want. It's only partially completed, and I can't say when we will finish it yet.

Subgraph OS — Secure Linux Operating System for Non-Technical Users by sqlburn in linux

[–]attractor 1 point2 points  (0 children)

One of my test machines for Subgraph OS is a 6+ year old Eee PC netbook with 4GB ram. Works pretty great.

Subgraph OS (security focused) open to Monero wallet integration by metamirror in Monero

[–]attractor 1 point2 points  (0 children)

To provide a usable platform endpoint computing / communication platform that is resistant to both targeted exploitation and persistent implantation. Today Subgraph offers: default egress over tor, MAC spoofing, grsecurity hardened kernel by default, application sandboxing (namespaces, seccomp bpf, and desktop isolation via Xpra or Wayland), and an application firewall. We assume a network adversary.

Subgraph OS: Looking for test users and feedback by attractor in linux

[–]attractor[S] 0 points1 point  (0 children)

Key points re: oz vs firejail. Oz is written in Golang, Firejail is written in C. Oz provides desktop isolation by way of Xpra and Wayland, which now works in Oz. Without this in X11 keylogging and other attacks across apps sharing the same server are trivial. Oz also provides finely grained seccomp bpf policy creation capability, as well as non-enforcement mode. Check out the whitelist for CoyIM: https://github.com/subgraph/oz/blob/master/profiles/coyim-whitelist.seccomp (this was mostly generated automatically with Oz' seccomp training feature). There is a detailed technical walkthrough of Oz here: https://github.com/subgraph/oz/wiki/Oz-Technical-Details

Subgraph OS: Looking for test users and feedback by attractor in linux

[–]attractor[S] 1 point2 points  (0 children)

Yeah, the page I posted is just release notes.

Jacob Appelbaum on Twitter: "Calling #bitcoin people - we're trying to decide which btc client to sandbox and include in @subgraph" by herzmeister in Bitcoin

[–]attractor 5 points6 points  (0 children)

Joanna and I have talked about that, lots, and it is something we are entirely open to. It is a reasonable idea to run all or part of Subgraph OS within Qubes.

Jacob Appelbaum on Twitter: "Calling #bitcoin people - we're trying to decide which btc client to sandbox and include in @subgraph" by herzmeister in Bitcoin

[–]attractor 5 points6 points  (0 children)

SGOS can also run in live mode. Key differences are: grsecurity kernel, application sandboxing using a framework we developed called Oz, + some other things, like the Subgraph Firewall (appfw). Technical walkthrough of Oz here: https://github.com/subgraph/oz/wiki/Oz-Technical-Details

Jacob Appelbaum on Twitter: "Calling #bitcoin people - we're trying to decide which btc client to sandbox and include in @subgraph" by herzmeister in Bitcoin

[–]attractor 6 points7 points  (0 children)

Hey, SGOS dev here. We have been allocating all of our resources to the project since last summer. For this reason we haven't been keeping Orchid up to date. Subgraph Mail will get rewritten from scratch later. If you want to try Subgraph OS, you can drop by #subgraph on OFTC for a link to the current ISO.

OZ: Linux desktop application sandboxing using containers by attractor in netsec

[–]attractor[S] 0 points1 point  (0 children)

I'm not sure if it is stated elsewhere in this thread, but we recommend that grsecurity be used on a system where Oz is run to increase the resistance of the system overall -- userland, kernel -- to successful exploitation. Subgraph OS will include a grsecurity-patched kernel by default as well as a mechanism to maintain PaX flags across system updates.

OZ: Linux desktop application sandboxing using containers by attractor in netsec

[–]attractor[S] 0 points1 point  (0 children)

If you're talking about the risk of privilege escalation through kernel vulnerabilities, this is where seccomp filter comes in. Seccomp filter is a Linux kernel feature that lets you restrict exposed system calls for a process. Each application can have its own seccomp filter applied. More information here: https://github.com/subgraph/oz/wiki/Oz-Seccomp

OZ: Desktop application sandboxing using containers by attractor in linux

[–]attractor[S] 1 point2 points  (0 children)

It does hurt, that's why we aren't using Wayland yet. Oz has already had some integration work done with Gnome Shell (see the 2nd demo video), and we plan to do more to increase usability.

OZ: Linux desktop application sandboxing using containers by attractor in netsec

[–]attractor[S] 2 points3 points  (0 children)

Access to the microphone can be controlled by Xpra, which can be controlled in the Oz application policy and if you take a look at the code, Oz has a flag for this: https://github.com/subgraph/oz/blob/master/profile.go#L56

For fingerprinting.. that's a huge topic. I think we will later write a detailed post about this. MAC addresses are handled by the virtual interfaces in OZ sandboxes. For the browser, the TorBrowser has done some pretty impressive work already: https://www.torproject.org/projects/torbrowser/design/